At 09:36 PM 11/28/01 -0800, [EMAIL PROTECTED] wrote: >> Thu, Nov 29, 2001 at 12:35:13PM +1100, John Griffiths wrote: >> At 05:22 PM 11/28/01 -0800, Greg Wiley wrote: > >> >http://www.securityfocus.com/archive/1/242750 >> >Debian 2.2 is on the list. >> >> Does this effect wu-ftpd's that don't allow anonymous access? >> >> i.e. if only user's can log on, and I trust my users, can >> I stop stressing about it until the fixed version is available? > >The way I understand it is that it has to do with >file globbing so in order to exploit, an attacker >would have to log in. So if anon is off and none >of your users are baddies, maybe you're ok (al- >though an unauthorized person might somehow know >a legitimate authpair). >
Thats a load off my mind, I'll be updating as soon as it's available and I'm willing to work with that risk level for a day or so. Thank you very much.
